[ISN] Lawmaker may revisit computer security law

From: InfoSec News (isn@private)
Date: Mon Apr 10 2006 - 22:18:59 PDT


http://www.govexec.com/story_page.cfm?articleid=33811

By Daniel Pulliam
dpulliam @ govexec.com 
April 10, 2006

Recent criticism of the federal law governing agencies' policies on
information technology security has attracted the attention of a key
legislator.

Tom Davis, R-Va., chairman of the House Government Reform Committee,
said in April 3 letters to two vocal critics of the 2002 Federal
Information Security Management Act that he is "not so naïve or
stubborn as to think FISMA is a panacea or that important improvements
could not be made."

The letters were in response to comments in a March 15 Government
Executive article [1] where several observers expressed concern that
government computer systems remain insecure despite the millions of
dollars agencies spend complying with the cybersecurity law.

Davis said in the letters that he is interested in discussing the
concerns about FISMA, and ideas for strengthening the law.

Alan Paller, research director of the nonprofit cybersecurity research
group SANS Institute and one of the recipients [2] of the letters,
said he is impressed with Davis' openness to new ideas. He said he
responded with a three-page letter outlining his concerns.

Under FISMA, agencies are required to produce reports detailing risks
posed by IT systems' vulnerabilities and authorizing the systems'
continued use, a process known as certification and accreditation. But
this process fails to test a system's true security and is 10 times as
expensive as it needs to be, Paller said.

"Because you're writing a report about security instead of testing
security, you don't find out what the actual vulnerabilities were,"  
Paller said.

Former Energy Department chief information security officer Bruce
Brody, the other recipient of an almost identical letter [3] from
Davis, said he is looking forward to working with the congressman on
improving FISMA. Brody is vice president for information security at
the Reston, Va.-based government market analysis firm INPUT.

"[FISMA] is a real paper drill that means nothing when it comes to
information security," Brody said. "How do we get to the next stage of
FISMA -- to get from the paper-based processes ... to the more
technical processes?"

Federal agencies are failing to perform a five-step litmus test that
would measure their IT security better than the current requirements,
Brody said. That test would involve determining the boundaries of
networks, their configuration, the devices connected to them, the
users of the devices and what the users are doing with the devices.

"If I just knew those five things, I'd be better off then I am today,"  
Brody said. "Paper-based processes don't get you to those five
things."

While Paller and Brody are two of the most vocal opponents of the
FISMA reporting process, they are not alone in calling for reform of
the law.

Former Air Force Chief Information Officer John Gilligan, now vice
president and deputy director of the defense sector for the Fairfax,
Va., IT firm SRA, said while there are positive aspects to the law, he
would like to see the process revised.

FISMA fails to measure the entire scope of an agency's systems;  
rather, it focuses on specific parts of the systems, Gilligan said.

"The initial intent [of FISMA] was good," he said. "The danger is
that, just because you did well on FISMA, you think you're highly
secure. It may be, but it may not be."

Nevertheless, an inability to "do the paperwork" is probably a good
indicator that an agency's systems are not secure, Gilligan said.

Bob Dix, executive vice president for public affairs and corporate
development at Citadel Security Software, a Dallas-based IT security
firm, and former staff director of the House Government Reform
Committee's technology subcommittee, characterized the criticism [4]
FISMA as "much ado about nothing," but said he is pleased that Davis
is seeking input from those who believe the law needs updating.

"I would be the first guy to say that after five years of the law
being in place, it should be amended to reflect the experience we've
had," Dix said. "But to suggest that it hasn't contributed to security
is just a mischaracterization."

The Office of Management and Budget, asked to comment on the issue of
revising FISMA, referred to an April 2005 statement from Karen Evans,
OMB administrator for e-government and IT. She argued that FISMA is
working and said "substantial revision could delay additional
progress."

[1] http://www.govexec.com/features/0306-15/0306-15admt.htm
[2] http://www.govexec.com/pdfs/PALLER.pdf
[3] http://www.govexec.com/pdfs/BRODY.pdf
[4] http://www.govexec.com/dailyfed/0306/031606p1.htm

©2006 by National Journal Group Inc. All rights reserved.



_________________________________
LayerOne 2006 : Pasadena Hilton : Pasadena, CA
Infomation Security and Technology Conference
http://layerone.info



This archive was generated by hypermail 2.1.3 : Mon Apr 10 2006 - 22:32:34 PDT